Enterprises increasingly utilize virtualized, or cloud-based, computing resources in their daily operations. Through frameworks such as Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (Paas), and others, businesses and other organizations rely on cloud computing platforms (e.g., Amazon's AWS™, Microsoft's Azure™, Google's Cloud Platform™, and others) to store data and applications, execute applications, perform computing functions, and interface with other network resources.
In many virtualized environments, particular tasks require privileged access rights. For example, access to a sensitive database may require an administrator's password or other credential. Further, specific actions (e.g., deleting a file, uploading software code, writing to sensitive memory, accessing sensitive applications, etc.) may require a password or other privileged access credential. Problems arise, however, when privileged access is granted at an unnecessarily high level to perform a particular task, is granted more broadly than needed, or is granted for an unnecessarily long time. For example, sometimes an application will need privileged access rights in order to read a particular file, but the actual privileged access that is granted may provide read, write, copy, and delete rights. In this situation, the write, copy, and delete rights may be unnecessary and consequently may increase the likelihood of the privileges being misused or improperly leveraged by an attacker. Similarly, if the application only needs read privileges for a particular task, in some situations the privileges are provided permanently, or until the credentials expire. This can also increase the likelihood of improper use of the credentials, since they may exist and form an attack surface for longer than needed.
These problems of overly-strong privileges and lingering privileges are especially acute in virtualized network environments. In these environments, virtual computing instances (e.g., virtual machines, container instances, serverless code instances, etc.) are often dynamically instantiated, modified, and deactivated. This makes it very difficult to monitor the level of privileged access rights that individual virtual resources have at any given moment. A further layer of difficulty is determining whether the privileged access rights that individual resources have are unnecessarily strong or long-lived. Indeed, in a machine-to-machine virtualized environment, where virtualized resources may be spun up or modified automatically, or through automated policies, the universe of virtualized resources and their privileged access rights may be constantly changing and not known.
In view of these technological problems associated with managing privileged access rights in virtualized network environments, technological solutions are needed to more efficiently, accurately, and dynamically detect the privileged access rights possessed by individual resources. Further, solutions should determine whether individual resources have a scope of privileged access rights that is unduly strong or long in duration. In addition, solutions should provide efficient techniques for responding to situations where resources have unnecessary privileges, including by suggesting particular actions and by automatically performing actions to implement least-privilege policies.